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Abstract 

Teaching a computer security course which includes network administration and protection 
software is especially challenging because textbook tools are out of date by the time the text 
is published. In an effort to use lab activities that work effectively, we turned to the internet. 
This paper describes several resources for teaching computer security found on YouTube. We 
describe the media that worked well in the class/lab environment, and present some ideas for 
evaluating the YouTube materials. Using this popular web site has the added benefit of en¬ 
gaging students in computer security in an entertaining way. 

Keywords: computer security, port scanner, YouTube, intrusion detection, password cracker, 
packet sniffer, security education, security tool 

1. INTRODUCTION 

Software security tools are an important part 
of a computer security course as well as a 
necessary component of the career prepara¬ 
tion for a security professional. Software 
tools are used for defense of computer sys¬ 
tems and for learning how attackers use 
them to gain unauthorized access to com¬ 
puter systems. Vulnerability and penetra¬ 
tion testing, port scanning, trap and trace 
simulations are just a few of the hands-on 
activities that students work with in a com¬ 
puter security course. (Frank, 2009) 

Skoudis and Liston (2006) offer a sufficiently 
thorough presentation of hack and defend 
software for a Securing Computer Systems 
course. They approach a broad range of 
security tools utilized during different phases 
of computer attacks and defense. This fa¬ 
vorably reviewed volume is excellent for fa¬ 


miliarizing students with a career-style re¬ 
source. It can provide a practical central 
text. However, as educators, we are left 
with designing hands-on exercises based on 
practical information that will work in class. 
Designing and testing pedagogically mea¬ 
ningful laboratory activities for a computer 
security course is like chasing a moving tar¬ 
get for several reasons. One is that any 
book we select for a security course is out¬ 
dated before it is published. A second reason 
is that a security update on Wednesday can 
render a lab activity ineffective on Thursday. 
A third is that the security tool will change 
significantly, shortly after you write your lab 
activity and test it, or worse, be unavailable 
for download when lab time comes. Thus, 
we must adjust our approach to the lab 
practicum portion of a security course, and 
consider it a continuing journey rather than 
a destination. In the remainder of this pa¬ 
per, we present some ideas for enlivening 


© 2010 EDSIG 


http://isedj.org/8/34/ 


June 22, 2010 



ISEDJ 8 (34) 


Werner and Frank 


4 


this journey with a resource that our stu¬ 
dents are likely to be far more familiar with 
than we are, YouTube (2009). Considering 
that YouTube is the world's most popular 
video sharing site (Rutledge, 2008), we de¬ 
cided to investigate it as a vehicle for com¬ 
puter security instruction. 

2. YOUTUBE AS YOUTOOL 

A text or trade book can describe security 
tools in operation, and provide the rationale 
and benefit of a security tool. We educators 
can demonstrate the tools in class. We of¬ 
ten do so in teaching security, especially 
where a tool is dangerous in the hands of 
students, or where the computing environ¬ 
ment is not amenable to running it. An al¬ 
ternative to or enrichment for prepared se¬ 
curity lab activities and in-class demonstra¬ 
tions is finding YouTube (2009) videos that 
illustrate the security tools in action. The 
YouTube videos range from professional to 
amateur. We can play a video in class and 
follow with discussion, or students can pre¬ 
view a video prior to working in lab, and 
testing the features the video presents. 

A simple YouTube search for a particular se¬ 
curity tool yields both relevant and irrelevant 
links. Amongst pertinent links, some videos 
will be poorer quality. Computer screens 
shown in the video may be illegible. The 
audio may be defective. The pace may be 
too rapid to follow. Some videos are sales 
pitches. A few are of hackers boasting about 
their alleged prowess. Yet some videos 
present a security professional applying a 
specific tool in an environment that would 
take a lot of time and effort to replicate in a 
lab setting. 

The remainder of this section describes vid¬ 
eos we have found appropriate for teaching 
about seven well-known computer security 
tools. Their quality ranges from excellent to 
superior. 

Honeynets 

The original idea to use videos in teaching 
computer security occurred to us when we 
were developing an activity to describe the 
function of and rationale for creating a ho- 
neypot. Skoudis and Liston (2009) portray a 
honeypot as a "sacrificial host designed to 
attract and distract attackers." A honeynet 
is a network of honeypots. 


Our universities would not allow us to set up 
a honeypot for security and legal reasons. 
We actively discuss the legal issues sur¬ 
rounding honeypots in class, spurred on by 
Spitzner's (2002) long term experience in 
the honeynet project (2009), so that stu¬ 
dents understand the gravity of participating 
in a honeypot. We used Google to search 
for honeypots and found the video Honeynet 
Web (2009) produced by the Honeynet 
Project (2009). We assigned our students to 
view this video and to answer questions 
about honeynets. This video is entertaining 
while being informative. It stimulated our 
appetite for more videos, and piloted us to a 
YouTube security tool search. 

Nmap 

The nmap website (2009) provides free and 
open source port scanning software. Nmap 
is available in Windows and UNIX versions. 
Skoudis and Liston (2006) describe nmap in 
25 pages of detail. We found only two suit¬ 
able videos on YouTube which describe 
nmap. NMAP port scanning tool (2009) is a 
short introductory video by a Cochise Col¬ 
lege instructor that demonstrates installing 
and running nmap in a Windows environ¬ 
ment. A nine minute video, EXCELLENT How 
to use nmap (2009), introduces two types of 
port scans and operating system fingerprint¬ 
ing with nmap. This video has background 
music and provides a description of a few 
command line flags and their meaning. 
Many users gave it five stars. 

Netcat 

Netcat is often used for file transfer between 
the attacker and a victim's computer. Skou¬ 
dis and Liston (2006) devote 20 pages to 
netcat, illustrating an assortment of ways to 
use it. The YouTube video Hacking and Your 
Computer Penetrate Your Own Network 
(2008) demonstrates installing netcat on a 
Windows system. At this writing, the URL 
provided in this video contains no netcat 
software, but it can be found at the Netcat 
(2004, 2006) ftp sites. Netcat Tutorial 
(2008) provides a short demonstration of 
the tool at the Windows command line. In 
both videos, netcat listens on a port and 
opens a command window backdoor for an 
attacker. 

There were other netcat videos on YouTube, 
but they were either not in English or of poor 
quality. Since netcat is often referred to as 
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the Swiss Army knife of network tools, and 
in 2006 was ranked the 4 th most popular tool 
in a survey run by Insecure.org (Lyon, 
2006), it is unfortunate that there are not 
more in-depth videos of such an important 
tool. 

Snort 

Snort (2009) is a widely used open source 
network intrusion detection tool. Snort is 
rule-based, which is a different implementa¬ 
tion than students see in the aforementioned 
tools. We found three videos to introduce 
Snort to students. Snort IDS with Kevin 
Rose (2008) is a six minute introduction to 
IDS and Snort. How to install and configure 
SNORT on an XP machine (2008) shows how 
to install, configure, and run Snort. This 
video is rather fast paced and lasts ten mi¬ 
nutes. Students can replay it as often as 
desired. The video How to create a SNORT 
rule and test it (2008) experiments with 
Snort's detection of nmap (2008) FIN and 
XMAS scans. Additionally, it programs a 
snort rule to alert for someone visiting 
www.voutube.com . This clever video as¬ 
tutely connects the port scanner nmap with 
the intrusion detection ability of SNORT. As 
the videos demonstrate. Snort detects but 
does not thwart an intruder. Its advantage 
is that it provides more details about intru¬ 
sions, and thus enables the network admin¬ 
istrator to prevent future intrusions. Skou- 
dis and Liston classify the free version of 
SNORT as a network sniffer, but describe the 
paid version as a sophisticated tool that can 
detect an attacker's subtle attempts to 
sneak past intrusion detection software such 
as SNORT. SNORT ranked 3 rd in popularity 
as a security tool in the Insecure.org survey 
(Lyon, 2006). 

John the Ripper 

John the Ripper (2009) is a well known free 
password cracking tool that runs on UNIX 
and Windows systems. We use it to show 
that weak passwords are vulnerable to a 
password cracker. Skoudis and Liston 
(2006) explain John the Ripper in some de¬ 
tail. For a laboratory exercise, we have our 
students download John the Ripper from the 
OpenWall website (2009) and run it on a 
UNIX password file. 

The video John the ripper (2008) cracks a 
Window's password to the sound of Rap mu¬ 
sic. Another video also entitled John the 


Ripper (2008) and the Cracking Linux/Unix 
passwords using John the Ripper (2008) 
show un-shadowing a UNIX password file 
and running John to crack passwords. John 
the Ripper ranked 10 th in popularity as a se¬ 
curity tool in the Insecure.org survey (Lyon, 
2006). 

EnCase 

EnCase (Guidance, 2009) is the standard 
computer forensics tool used by law en¬ 
forcement. The product is expensive even 
with a discount for university instruction. 
Since it takes significant time to learn to use 
EnCase, we demonstrate some of the tool's 
capabilities and leave in-depth analysis of 
EnCase to a computer forensics course. Al¬ 
though Skoudis and Liston (2006) do not 
explicitly mention EnCase, they discuss the 
role of forensic software in incident handling 
and investigation. YouTube videos enhance 
the EnCase software demonstration. 

Although the YouTube video EnCase Com¬ 
puter Forensics Demo (2007) introduces En¬ 
Case dynamically; it moves quickly and re¬ 
quires some instructor explanation, as do 
most of the others discussed here. The You¬ 
Tube video Recovering Deleted Files With 
Encase (2008) deletes a file on a USB drive 
and then recovers it with EnCase. This video 
clearly demonstrates that deleted file con¬ 
tents are not removed from the disk and 
may be retrievable by forensic software. 
Examining a Wiped Drive (Examining, 2009) 
demonstrates that wiping a drive with zeros 
prevents EnCase from finding any informa¬ 
tion on the drive. Examining File Slack with 
EnCase (Examining, 2008) shows how bits of 
information survive in file slack, the unused 
part of the last cluster in a file. File slack 
may contain bytes of information from a 
previously deleted file. These videos affirm 
important concepts in a relatively short 
amount of time. If no version of EnCase is 
available for a class demonstration, the vid¬ 
eos offer a beneficial supplement to reading 
about incident handling. 

Wireshark 

Wireshark (2009) is packet capture and 
network protocol analyzer software. Ore- 
baugh (2007) offers a through description of 
this free product. Skoudis and Liston (2006) 
applaud this software as well, under its for¬ 
mer name of Ethereal. The Wireshark inter¬ 
face is slightly different from Ethereal. 
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The wireshark videos are the best of those 
we have examined so far. Introduction to 
Wireshark (Part 1 of 3) (2008) is an excel¬ 
lent video introduction to installing and using 
wireshark. This video is an example of a 
high-quality security tools video. The screen 
images are clear. The explanations are lu¬ 
cid, both in wording and audio. 

Intro to Wireshark: Packet Capture and Pro¬ 
tocol Analysis (2008) is another excellent 
video. It demonstrates sniffing a password 
during a telnet login. Wireshark - IP Ad¬ 
dress, TCP/UDP Port Filters (2008) is a good 
video for showing students how to do port 
and IP address filtering. 

3. SUMMARY AND REFLECTION 

The seven security tools mentioned in this 
paper represent a broad range of significant 
security tools extensively used by profes¬ 
sionals. There are several more highly re¬ 
garded security tools that we have yet to 
explore on YouTube. 

At this point, we have decided that there are 
several factors to consider when selecting a 
YouTube video for enhancing instruction. 
One key advantage of all the YouTube videos 
is that they are publicly available and free. 
There is always the chance that a video is 
removed by the author or by YouTube, but 
that is a possibility with all web-based re¬ 
sources that are not your own. A second 
factor to consider is the impact of the infor¬ 
mation in the video. Does viewing the video 
make a point that works with the course ma¬ 
terial? A third aspect to take into account is 
the significant time required to review the 
videos and to determine whether to use 
them in class/lab or to assign them for out¬ 
side of class viewing. The introductory 
demo style of video is well suited to home¬ 
work. If you find that you need to clarify 
what the video is describing when you view 
it, then it is likely that students will need 
some guidance with it. A fourth element to 
consider is the length of the video. A supe¬ 
rior video that is informative, has excellent 
sound and a fine picture, is more likely to 
engage students for a longer viewing time. 
However, if a video has pertinent content 
but is only fair in quality, we found it ac¬ 
ceptable only when it was shorter, less than 
four minutes. The wireshark videos (Wire- 
shark, 2009, 2008) (Intro, 2008) were the 
best we found thus far, and are our bench¬ 


marks for either a short or long lesson. 
Content, audio and video were very good to 
excellent on all four that we introduced 
above. A fifth feature to consider when re¬ 
viewing videos is the overall quality. Some 
videos may have solid information, but may 
be difficult to hear or see. Since students 
can review them as often as they wish to, a 
short video of only fair sound or visual im¬ 
pression, yet with solid information may still 
be an acceptable choice. 

Our students liked the video assignments, 
and we plan to continue using them, and 
increase the number of tools demonstrated 
via YouTube. We liked the variety that they 
added to the material. So far, all of the vid¬ 
eos reviewed for this paper have been avail¬ 
able since March, 2009 when first used in 
class. Many were posted in 2008. They were 
successfully accessed again on September 
25, 2009. We feel that it is worth the effort 
to augment regular security lab material 
with the YouTube videos, despite the risk 
that they could disappear overnight. Stu¬ 
dents and instructors alike expect web re¬ 
sources to be dynamic. We believe that us¬ 
ing YouTube as an educational resource is 
inevitable. Benkler's (2006) argument that 
society is in the midst of a drastic change in 
how we produce and consume services, in¬ 
cluding obtaining information, surely views 
education as a service. "Commons-based 
peer production...is the rise of effective, 
large-scale cooperative efforts—peer produc¬ 
tion of information, knowledge, and cul¬ 
ture...We are beginning to see the expansion 
of this model...into every domain of informa¬ 
tion and cultural production." (Kazman, 
2009) 

We would like to encourage computer secu¬ 
rity professors and professionals to produce 
videos of security tools and to share them 
with others. There is a need for high quality 
video to illustrate security tool functionality. 
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